The Need for Softer Skills

February 16, 2015

Community Resources

SANS Security Awareness Report

One of the biggest take-aways (and surprises) for me from the 2015 Security Awareness Report is the lack of soft skills in our field. Over 75% of those leading or supporting a security awareness program had very technical backgrounds, to include IT admins, security analysts and even webmasters (page 8). In addition, we found most security awareness programs falling under the IT chain of command. Once you read the report it really makes sense.

If an organization is concerned about the security of their employees, where do they go? The security team. And who makes up most security teams? Highly skilled and highly technical wizards that live and breathe bits and bytes. However, awareness is ultimately about changing human behavior, and to do that effectively it comes down to communication. If people do not know what they are supposed to do or why, they will neither be motivated nor have the ability to do what you want (see BJ Fogg's Behavior Model). Now, how much training have most security teams had in communications? Probably very little. In fact, security professionals are taught on how to NOT communicate. The less you share, the more secure you are. So, in most cases security professionals are the last people you want leading, or at least communicating, your awareness program. I'm just now beginning to see organizations' recognizing and address this. I know of two Fortune 500 companies that put out job advertisements for Security Awareness Communicators. In addition, I know of one extremely large bio-tech company that has someone from their communications department embedded full-time into the security team.

Long story short, for us to really start securing the human element, I feel we have to develop our softer skills, starting with communication. For security geeks looking to develop their communications kung-fu, a great place to start is the book Made to Stick, by Chip and Dan Heath.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.